Example 1 with GetSessionTokenResult
use of com.amazonaws.services.securitytoken.model.GetSessionTokenResult in project hadoop by apache.
the class ITestS3ATemporaryCredentials method testSTS.
/**
* Test use of STS for requesting temporary credentials.
*
* The property test.sts.endpoint can be set to point this at different
* STS endpoints. This test will use the AWS credentials (if provided) for
* S3A tests to request temporary credentials, then attempt to use those
* credentials instead.
*
* @throws IOException
*/
@Test
public void testSTS() throws IOException {
Configuration conf = getContract().getConf();
if (!conf.getBoolean(TEST_STS_ENABLED, true)) {
skip("STS functional tests disabled");
}
S3xLoginHelper.Login login = S3AUtils.getAWSAccessKeys(URI.create("s3a://foobar"), conf);
if (!login.hasLogin()) {
skip("testSTS disabled because AWS credentials not configured");
}
AWSCredentialsProvider parentCredentials = new BasicAWSCredentialsProvider(login.getUser(), login.getPassword());
String stsEndpoint = conf.getTrimmed(TEST_STS_ENDPOINT, "");
AWSSecurityTokenServiceClient stsClient;
stsClient = new AWSSecurityTokenServiceClient(parentCredentials);
if (!stsEndpoint.isEmpty()) {
LOG.debug("STS Endpoint ={}", stsEndpoint);
stsClient.setEndpoint(stsEndpoint);
}
GetSessionTokenRequest sessionTokenRequest = new GetSessionTokenRequest();
sessionTokenRequest.setDurationSeconds(900);
GetSessionTokenResult sessionTokenResult;
sessionTokenResult = stsClient.getSessionToken(sessionTokenRequest);
Credentials sessionCreds = sessionTokenResult.getCredentials();
String childAccessKey = sessionCreds.getAccessKeyId();
conf.set(ACCESS_KEY, childAccessKey);
String childSecretKey = sessionCreds.getSecretAccessKey();
conf.set(SECRET_KEY, childSecretKey);
String sessionToken = sessionCreds.getSessionToken();
conf.set(SESSION_TOKEN, sessionToken);
conf.set(AWS_CREDENTIALS_PROVIDER, PROVIDER_CLASS);
try (S3AFileSystem fs = S3ATestUtils.createTestFileSystem(conf)) {
createAndVerifyFile(fs, path("testSTS"), TEST_FILE_SIZE);
}
// now create an invalid set of credentials by changing the session
// token
conf.set(SESSION_TOKEN, "invalid-" + sessionToken);
try (S3AFileSystem fs = S3ATestUtils.createTestFileSystem(conf)) {
createAndVerifyFile(fs, path("testSTSInvalidToken"), TEST_FILE_SIZE);
fail("Expected an access exception, but file access to " + fs.getUri() + " was allowed: " + fs);
} catch (AWSS3IOException ex) {
LOG.info("Expected Exception: {}", ex.toString());
LOG.debug("Expected Exception: {}", ex, ex);
}
}
Also used :
Configuration(org.apache.hadoop.conf.Configuration)
GetSessionTokenResult(com.amazonaws.services.securitytoken.model.GetSessionTokenResult)
AWSSecurityTokenServiceClient(com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient)
S3xLoginHelper(org.apache.hadoop.fs.s3native.S3xLoginHelper)
GetSessionTokenRequest(com.amazonaws.services.securitytoken.model.GetSessionTokenRequest)
AWSCredentialsProvider(com.amazonaws.auth.AWSCredentialsProvider)
Credentials(com.amazonaws.services.securitytoken.model.Credentials)
AWSCredentials(com.amazonaws.auth.AWSCredentials)
Test(org.junit.Test)
Aggregations
AWSCredentials (com.amazonaws.auth.AWSCredentials)1
AWSCredentialsProvider (com.amazonaws.auth.AWSCredentialsProvider)1
AWSSecurityTokenServiceClient (com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient)1
Credentials (com.amazonaws.services.securitytoken.model.Credentials)1
GetSessionTokenRequest (com.amazonaws.services.securitytoken.model.GetSessionTokenRequest)1
GetSessionTokenResult (com.amazonaws.services.securitytoken.model.GetSessionTokenResult)1
Configuration (org.apache.hadoop.conf.Configuration)1
S3xLoginHelper (org.apache.hadoop.fs.s3native.S3xLoginHelper)1
Test (org.junit.Test)1
